Hi @cpu@JuergenAuer@webprofusion I am using the lets encrypt with cloud front on aws and we are allowing our users to add domains in our system. But when we are adding the domains in aws cf it takes 15-20 mins to fully deploy in all the regions. And somehow we see that the domains is not fully propagated within 15-20 mins in the region where your server validate the domains for issuing SSL certificate. Can you please help me how we can speedup this process or I can request aws to first update the configurations in your region so that your server can validate the domains quckly and we can get the SSL qucikly. We want to reduce the whole process timing

The production validation requests currently all [seem to] come from Salt Lake City (?), United States (from Viawest network).

But there’s no guarantee that they’ll stay that way. Multi-VA (validation from many vantage points) is probably going to be ported to production eventually. That, and they could start (or already) perform validations from their second location in Colorado.

Aren’t you bottlenecked by the speed at which Cloudfront propagates its distribution settings to edges? Are they really gonna re-engineer it for you?

Last updated: July 6, 2017 | See all Documentation
This FAQ is divided into the following sections:
General Questions Technical Questions General Questions What services does Let’s Encrypt offer? Let’s Encrypt is a global Certificate Authority...

You can also approach it from the other direction, and consult your CloudFront or origin logs to see where Let’s Encrypt’s requests usually go.

But CloudFront’s network is growing too, and neither side can guarantee which PoPs requests will hit.

The only real solution is for Amazon to deploy changes globally more quickly, or for you to make some sort of architectural changes.

It’s worthwhile to keep in mind that your user’s site is not reliabily available to the world until it’s propagated to all regions. So you need to wait 15-20 minutes befote telling your user the site is “ready” anyhow. Once it’s ready, it should only take a few seconds to request and install a certificate, assuming you have it automated. Does CloudFront give you an API to check for when your domains are propagated?

I assume this is using s3 buckets to store the website and http challenge responses? It’s not a simple solution but if you can intercept /.well-known/acme-challenge/ http requests you can supply the response directly from a cache you control (possibly in a specific region).